On Tue, Sep 09, 2025 at 06:54:15PM +0200, Ilya Maximets wrote:
> Both OVS and TC flower allow extracting and matching on the DF bit of
> the outer IP header via OVS_TUNNEL_KEY_ATTR_DONT_FRAGMENT in the
> OVS_KEY_ATTR_TUNNEL and TCA_FLOWER_KEY_FLAGS_TUNNEL_DONT_FRAGMENT in
> the TCA_FLOWER_KEY_ENC_FLAGS respectively. Flow dissector extracts
> this information as FLOW_DIS_F_TUNNEL_DONT_FRAGMENT from the tunnel
> info key.
>
> However, the IP_TUNNEL_DONT_FRAGMENT_BIT in the tunnel key is never
> actually set, because the tunneling code doesn't actually extract it
> from the IP header. OAM and CRIT_OPT are extracted by the tunnel
> implementation code, same code also sets the KEY flag, if present.
> UDP tunnel core takes care of setting the CSUM flag if the checksum
> is present in the UDP header, but the DONT_FRAGMENT is not handled at
> any layer.
>
> Fix that by checking the bit and setting the corresponding flag while
> populating the tunnel info in the IP layer where it belongs.
>
> Not using __assign_bit as we don't really need to clear the bit in a
> just initialized field. It also doesn't seem like using __assign_bit
> will make the code look better.
>
> Clearly, users didn't rely on this functionality for anything very
> important until now. The reason why this doesn't break OVS logic is
> that it only matches on what kernel previously parsed out and if kernel
> consistently reports this bit as zero, OVS will only match on it to be
> zero, which sort of works. But it is still a bug that the uAPI reports
> and allows matching on the field that is not actually checked in the
> packet. And this is causing misleading -df reporting in OVS datapath
> flows, while the tunnel traffic actually has the bit set in most cases.
>
> This may also cause issues if a hardware properly implements support
> for tunnel flag matching as it will disagree with the implementation
> in a software path of TC flower.
>
> Fixes: 7d5437c709de ("openvswitch: Add tunneling interface.")
> Fixes: 1d17568e74de ("net/sched: cls_flower: add support for matching tunnel
> control flags")
> Signed-off-by: Ilya Maximets <i.maxim...@ovn.org>
Reviewed-by: Ido Schimmel <ido...@nvidia.com>
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
